What's new

Doubts about R7800 Firmware / IPv6 Support

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I tried to get a good score (better than 15/20) for hours yesterday, without success.

One surprise for me is that there are no ip6tables firewall rules changed
when setting "Allow external IPv6 hosts ping internal IPv6 hosts"!

I must repeat my question to you that has got it to work:
Can anyone share with which settings you get 19-20/20, please.
E.g: "Advanced, Advanced Setup, IPv6": "Internet Connection Type":

To understand what is happening in the router when changing settings,
I made a script that compares things before and after, including output to dmesg and syslog.
The result from this is as follows:

SET Respond_to_Ping_on_Internet_Port:
2019-03-01 01:27:25 BEGIN
dmesg:
[ 9568.019369] === Reducing pace for error prints ====
[ 9568.023305] Start seq_num 0 End seq_num 0 tid 0 failed seq 0 - error occured 200 times
(This does not happen every time!)
syslog:
-----------------------------------------
Compare 1: nvram show
-wan=8576979632442
+wan=250566025472
-wan_endis_rspToPing=0
+wan_endis_rspToPing=1

Compare 2: netstat
-tcp 0 0 R7800:49152 192.168.1.200:53809 TIME_WAIT
+tcp 0 0 R7800:www 192.168.1.200:53961 TIME_WAIT
+tcp 0 0 R7800:49153 192.168.1.200:53979 TIME_WAIT
-tcp 0 0 R7800:49152 192.168.1.200:53825 TIME_WAIT
+tcp 0 0 R7800:49152 192.168.1.200:53956 TIME_WAIT
Compare 3: ethtool
Compare 4: iptables
-DROP icmp -- anywhere anywhere icmp echo-request
+ACCEPT icmp -- anywhere anywhere icmp echo-request

Compare 5: ip6tables
2019-03-01 01:27:46 END

SET Allow_external_IPv6_hosts_ping_internal_IPv6_hosts:
2019-03-01 01:29:20 BEGIN
dmesg:
syslog:
-----------------------------------------
Compare 1: nvram show
-collect_log=708758576237
+collect_log=63448634
-debug_info=708758576237
+debug_info=63448634

Compare 2: netstat
+tcp 0 0 R7800:49153 192.168.1.200:54226 TIME_WAIT
-tcp 0 0 R7800:49152 192.168.1.200:54115 TIME_WAIT
+tcp 0 0 R7800:49152 192.168.1.200:54216 TIME_WAIT
Compare 3: ethtool
Compare 4: iptables
Compare 5: ip6tables
2019-03-01 01:29:38 END


Yeah that IPv6 setting on the debut page is a hit or miss, even when it works it works only sometimes and oddly at times some devices get a low score while others don’t when the setting is finicky. I’ve honestly stopped trying to push for a fix, they responded once by phone; asked me to send settings and images of clients where sometimes some would suddenly start getting like 15/20 while others would get 20/20.

Kamoj try a few restarts, it may get the setting to stick at least that’s what I had to do.

Sorry KevTech I should have clarified I was talking about the setting in debug.htm that Kamoj mentioned above. I did enable respond to ping as well but the other setting was what fixed the issue for me when it sometimes decided to work.
 
All I did was enable respond to ping in WAN tab plus enabled that IPv6 setting in the debug.htm page. My main IPv6 settings were on autoconfig I believe.

I’m using the RAX80 with IPv6 not activated at the moment so I can’t check.
 
Can anyone share with which settings you get 19-20/20, please.

Nothing special just choose DHCP and hit apply. As stated I get 17/20 unless I check enable ping on the debug page then it's always 19/20 till it fails then back to 17/20
 
Just "DHCP"... avtella used "Auto Config" - he believe.
I used "Auto Detect" and IPv6 Filtering: Open.

So there are more settings to test I guess. :rolleyes:
PS
Do You mean the setting:
"Advanced, Advanced Setup, IPv6": "Internet Connection Type": "DHCP"?

Nothing special just choose DHCP and hit apply. As stated I get 17/20 unless I check enable ping on the debug page then it's always 19/20 till it fails then back to 17/20
 
Only thing I turned on was the response to ping on the WAN setup page.
The setting in debug was left disabled.
IPV6 is set to auto detect which then defaults to DHCP.

EDIT: IPv6 filtering is set to secured

{4B1EA031-703F-44DD-A752-9CF9E6AAC04B}.png.jpg
 
Last edited:
On Windows I had to make the following changes:

I did not have to do that as Win 10 already has the rules in there.
If you have file and printer sharing disabled then the rules are disabled as well.
Enabling file and printer sharing also enables the rules automatically.

{36C638CE-2720-47EA-8117-AD1B513EAFF6}.png.jpg
 
I definitely had File and Printer Sharing enabled, even after a full reinstall I still had to add the exceptions to firewall rules, despite sharing being enabled.
 
I definitely had File and Printer Sharing enabled, even after a full reinstall I still had to add the exceptions to firewall rules, despite sharing being enabled.

This on Windows 10?

It also matters what profile you setup as windows will choose public during setup unless you specifically choose private.

{F3A04A7A-EEE6-470F-A53F-9153304CE690}.png.jpg
 
Lots of things going on in this thread. To sum it up:

  • There is an option to allow ping requests in the WAN menu and another one in the debug menu
  • Apparently both options only work temporally. If someone did manage to make it work in a permanent basis, could you please let me know how?
  • Different people are experiencing very different results with ipv6 test. Some managed to get 19 points without having to modify anything other than the mentioned options in the router, others have to change rules in Windows Firewall and a third group can't get it to work one way or another.
  • So far no one confirmed if NG Firmware has an UI to set custom firewall rules for IPv6. Could someone please confirm if there is a custom UI to set firewall rules for IPv6?
  • ip6table rules and the option to Enable Ping are apparently separate. I didn't manage to poke a hole in the firewall with standard ip6table commands. In addition to it, when @kamoj checked "Enable Ping" in the UI, changes were not reflected in iptable rules.
Overall, the whole thing seems messy. By the way echo requests / responses are just one of the many types of ICMP messages. available. Since I don't know what the Enable Ping option does I can't be sure if it is only allowing Type 128 / 129 messages, unlocking the whole protocol or something in the middle. Complementary reading about the subject for those interested in ICMP:
Overall, while I know that this is a lot to expect from a consumer grade router, it would be really nice to get some clarification on what exactly is going on with ICMPv6, what kinds of messages are being allowed / blocked by the router and why.
 
Last edited:
As a point of reference, after having allowed ICMPv6 through Kaspersky Internet Security, I get 19/20 on http://ipv6-test.com/ through an Asus RT-AX88U. By default, WAN ICMPv4 is blocked. There is no setting for WAN ICMPv6.
 
As a point of reference, after having allowed ICMPv6 through Kaspersky Internet Security, I get 19/20 on http://ipv6-test.com/ through an Asus RT-AX88U. By default, WAN ICMPv4 is blocked. There is no setting for WAN ICMPv6.

That's because Asus is handling IPv6 the way it was intended and there not blocking ICMP requests in there firewall like Netgear is and refuses to address saying it's a security issue.
 
As a point of reference, after having allowed ICMPv6 through Kaspersky Internet Security, I get 19/20 on http://ipv6-test.com/ through an Asus RT-AX88U. By default, WAN ICMPv4 is blocked. There is no setting for WAN ICMPv6.

Yeah. AX88U, AC86 and AC68U are all working very well with IPv6. ICMPv6 messages are handled appropriately and Firewall works very well.
I have successfully exposed TCP / UDP ports using the router's UI.
Plus, I can confirm that AC68U and AX88U both support PMTU and are correctly issuing ICMPv6 "Packet Too Big messages" when necessary.
 
Was on Private, I always make sure, yes it was Win 10.

And this setting was enabled?

Even when set to private you must also enable this setting manually.

This is what enables or disables the firewall rules.

{BFE2FA0C-3C77-4F71-B0CF-C52DCD4F3156}.png.jpg
 
Yes, It was.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top